Protecting USB Flash Drives (thumb drives) from malware

So, it got you too? Don't worry you are not alone. I was bitten once, shame on you (malware creators)! I was bitten twice, shame on
me! There is no saying for the third time, something had to be done.
When large capacity USB flash drives became widely available at affordable prices, they came
as a blessing sent to replace cumbersome CD-s and DVD-s. But as often, blessings and curses often come in pairs. It turned out that such tiny and movable memory devices are irresistible breeding
ground for all kinds of viruses, worms, trojans and other kinds of malware! And not
just flash USB drives. Any removable data storing device soon became a viable target.

Mechanism of infection

To understand the
rest of this article, a short explanation is necessary about how the USB flash drive
infections spread.
We are all familiar with Windows' built-in autoplay feature as almost every CD/DVD
media makes use of it. Similarly so with USB storage devices, plug anything in and a dialog will pop up.
When mounting any removable storage volume, Windows will look for AutoRun.inf file in the root of
the volume. If found, it is parsed for instructions how to treat that drive. Very convenient feature by itself, but unfortunately convenient
for spreading malware too.
If you plug
your USB drive into a computer infected with malware, the nastiness will copy itself to the drive and create
AutoRun.inf referencing itself, waiting for the first opportunity to get
autostarted on another computer to infect it too. For the curious ones, it is explained
here in
more detail. USB drives are also very susceptible to plain-type viruses that infect executable
files as well as worms and trojans that pretend to be something else.

This time I'll be careful!

Antivirus software on a computer is a bit like airbags on a car, It's comforting to know
that they are there, but you don't actually want to rely on them to save you.
That's why you should learn how to handle USB flash drives safely. Luckily, Microsoft
has wisely given up on strictly implementing
aforementioned auto play feature. Nowadays, If you plug in a removable auto play enabled drive, Windows will
always ask what to
do with it. Then how come computers eventually get infected? Well, Windows will ask just
once, and then give you a plenty of opportunities to screw it up later. For
example, right after plugging it in, you will probably get a dialog
looking like
this...

Although it is generally safe to choose Open folder to view files
here, bear in mind that a lot of malware exploit this dialog by trying to mimic Open folder to view files
and if Windows are not up to date it might get you. The recommended practice would be to close
this dialog altogether and browse the drive with Windows Explorer instead.
Windows explorer can be quickly open with Win+E key combination. Navigate through
directory structure only by expanding the tree view (green), and never
double click on anything on the right side (red in the following picture)!
Each and every computer that picked up something from an infected USB flash
drive got it either by autostarting it (rarely) or much more often by careless
user double clicking something he or she should not have double clicked. It is also
advisable to enable displaying of hidden and system files in
Windows Explorer, as all malware regularly tries to hide itself that way. Also,
unhiding extensions for registered file types helps a lot in distinguishing a real folder
from a worm (extension .exe) that successfully mimics the look
of real folders.

Developing proper habits is the best protection strategy and with some
practice you can open positively infected USB drives with confidence that you won't infect
your computer. Always treat your USB flash drives as if they are infected. If they've
been around, they most probably are!

let's start protecting our thumbs

Our goal from now on will be to prevent infection of USB flash drives if possible,
minimize the damage when it happens anyway, and detect it instantly when
inevitable happens.

Quick thinking might yield an apparently sure-fire solution in the form of a drive with
a hardware write-protect
switch. Once upon a time manufacturers were making these, but not any more. If you manage to
get one, it will be from old stocks and of inferior capacity and speed. It isn't the definite solution as it may
seem anyway, read on.

Starting from Windows XP SP2 Microsoft had been thinking the same way.
They have introduced a registry key that makes all removable drives write
protected, as if by hardware switch. Here
it is:

Of course, you cannot carry it around on your thumb drive, it has to be entered manually before the USB drive is plugged in.
Each letter counts, omit one and your drive is writable without you knowing it
until it is too late!
Also, in the case of Windows XP, don't forget to check for SP2 before you rely on it! No restart is
necessary, and if you decide
later to reenable writing, just change 1 to 0 and not even unplugging/replugging of the device is
necessary (notice that malware can do this too!). However efficient this may
seem,
similar to the hardware switch, it won't be useful in many situations as
you will usually want to transfer some data onto the drive while keeping already
present content intact. Later we will learn how to split an USB drive into writable and
read-only parts. As the writable part is sure to get infected, let's first work on detection.

At least let me know when my stick is sick!

WARNING: the suggested procedure assumes that there are no user files in
the root of the target drive! Move all your files to folders, otherwise they
will be deleted. It is generally a bad idea to keep any user files in the
root of any drive.
Scroll back and look at the screen capture of the Windows Explorer window above and notice
that drive H: shows custom icon .
The AutoPlay dialog presents the same icon. Besides making the drive easily
noticeable in the crowded space of Windows drive letters, the icon plays one very
important security role. The icon is
specified in AutoRun.inf file in the root of the drive. The
malware, if present, would replace our AutoRun.inf file with its own AutoRun.inf, thus
phasing out our icon. Missing icon from the usual places is the sure sign that something
somewhere very probably went wrong!
The very basic AutoRun.inf that just customizes drive icon looks like this:

[AutoRun]
icon=MyIcon.ico

Creating custom icons like the one above is no rocket science, you can draw them
with Windows inbuilt MS Paint.
In image attributes specify a bmp image of 32x32
pixels, draw something, ask your children to help (they will be glad to). Place
one single black dot in the top-left corner, it will preserve all the other
colors (don't ask me to explain here). Save the result as MyIcon.bmp and simply rename it to MyIcon.ico.
Technically speaking that isn't an icon file, but Windows could not care less and will display and resize it properly as if it was a real
*.ico file. Perfectionists can convert bmp to real icon using IrfanView, a free graphic viewer/editor.

One step further, it is not too difficult to create a self-cleaning USB
stick. The principle is to keep somewhere a backup copy of the original AutoRun.inf and compare
it with the currently active AutoRun.inf file. If not matching exactly, just restore from the
backup and indiscriminately wipe everything else. The full protection system we'll be
using later
contains the tool that can be used independently named test.bat. To check for infection
start test.bat, and if it just closes everything is OK. If not, you will be warned and offered
an option to disinfect. This
method is very simple and very effective in protecting the drive itself, yet it
doesn't provide any protection to the content of the drive. We can do
better.

The real stuff

What I consider the ultimate solution is splitting the USB drive into one
completely write protected and
thus safe portion, and
the rest left available for general use. The tool for achieving this comes from unexpected source,
the TrueCrypt disk encryption software. It
can create a virtual encrypted disk within a file
container and mount it as a real
disk drive.
The catch is that the virtual disk can be mounted in read-only mode. Luckily, running directly from
a USB flash drive (as portable application) is something TrueCrypt has been designed for.
All that is left to do is to somehow protect the portable TrueCrypt files from becoming infected and
to automate everything as much as possible to make it user-friendly.

Setting up the real stuff

Don't be scared off if the following seems a bit too technical, ask someone to help
just with setting it up. Once set up and running, you are a mouse click away from having rock solid USB
flash drive protection.
First, download TrueCrypt setup
file. These instructions are based on version 7.0a. Install it the
usual way into suggested Program Files folder.
Second, download Hidden Start
utility. We will be using just hstart.exe from the archive hstart.zip.
Don't unpack it yet.
Download this archive containing everything else and copy it to the
root
(the topmost folder) of
your USB drive. Extract the content of the archive to X:\mnt
folder (right-click on the archive, choose Extract All..., click Next,
Next, Finish). Now extract hstart.exe from hstart.zip
to X:\mnt
folder (open the archive by double clicking, drag the file from it to X:\mnt
folder). Of course, you will be using the actual letter of your USB drive
instead of X:.
Start (double click) 00mount.bat in the X:\mnt
folder. Under Windows 7/Vista a familiar UAC dialog
will probably pop up asking you to give permission to run Hidden Start.
Unless it is specifically marked as Security Warning, it is safe to
continue since it is a signed
application. Also ignore the warning that hstart.exe is
unprotected, we know it is for now, it won't be for long.
You will eventually get to the main menu looking like
this:

Now enter the command install. Don't look for it in the menu
since it is a hidden command, just type in install and press Enter.
If you've done everything right so far, you will be informed of a successful
installation. If the installation fails for some of the most common reasons, it
will be reported too. Try to remedy the failed step or start carefully from the
beginning.
We are almost done. Now it is time to read the TrueCrypt
beginner's tutorial and to learn how to create an encrypted volume file. When
you've learned how, create two encrypted volumes in the folder X:\mnt of your USB drive, name
them vol1.tc
and vol2.tc and assign them password abc123. The
file names and the password are hard coded in xmount.bat and have to be entered exactly (password is case
sensitive) or xmount.bat
has to be changed accordingly. Choose the size of encrypted volumes as you wish, this will be the
size of protected part of your USB drive. Bear in mind that the limit is 4 GB
(actually 4095 MB, 1 MB short of 4 GB) due to usual FAT32
formatting of flash drives and that's why we've created two volumes to be able to
store up to 8 GB of protected data. Peek into xmount.bat and you
will see how even more volumes can be added, or vol2.tc removed if
that much space is not needed. An alternative way to store more than 4 GB of protected
data in one piece would be to reformat USB flash drive to
NTFS file system, but it's got it's own drawbacks and I have opted to create
several smaller volumes instead.
Once installed, the system is completetly portable and can be moved to another
USB drive just by copying. Fell free to spread it around to help fight the
malware!
That's it! Let's test it. Unplug (don't forget to Safely Remove Hardware first)
your USB flash drive.

Using the real stuff

Plug in your freshly protected USB flash drive. Standard Windows
AutoPlay dialog should pop up. Notice the custom icon , that's the sign that AutoRun.inf hijacking malware has
not populated our stick.
Choose Open folder to view files using Windows Explorer from the dialog.
Better yet, close the dialog and navigate the stick via explorer's tree view.
Remember this?
Enter the X:\mnt folder. The first file in it is 00mount.bat
(it is named 00... to be the first in the list),
that's the main entry point of our protection. Starting it
(Windows Vista and Windows 7 will ask for UAC
confirmation) opens up the main menu. Sorry, no mouse here, You'll have to reach for the keyboard.
The menu options are:

Now choose W to mount volumes in writable mode. Additional confirmation will be required.
If everything
goes well, an empty window will open for each protected volume we created. Add your files to it and close it.
Start 00mount.bat again and choose U to unmount the
volumes. The window will flash blue to signal it.
Once prepared, the volumes are easily accessible for everyday use through automnt.bat
in the root of the drive. Run it once and it will
mount all the volumes in read-only mode (signaling it by green window) and show
their content each in it's own explorer window. Run it again and
the volumes will be
unmounted (the window will flash blue). No folders, no keyboard, no messy menus,
just mouse click and go. Mounted.txt file will be created to
indicate that some volumes are mounted.

In the case you suspect that the host drive became infected (there is no
icon, some suspicious files appeared, some folders or files disappeared...), run
the test.bat diagnostic tool. It can be used independently of
write protection. As described before, it will check if AutoRun.inf
file has changed and search for hidden files or folders, the typical signs of
malware activity. If anything suspicious is found, it will be reported, and
option offered to restore the drive to the original state. WARNING: restoring
the drive will erase all the files in the root of the drive! The files in
the folders are safe.

Mac OS, Linux...

No need to protect from malware here, of course. But suppose you sometimes
need to access your protected data on one of those systems, what then?
Well, you can always download and setup TrueCrypt to use it the usual way, it is
a pretty small download. And for the cases when the internet connection is not available, you can always carry TrueCrypt
installation files for Mac and Linux as unprotected files on the USB
drive and all the chances are that Windows viruses will leave them alone.

Conclusion

The practices introduced here have evolved out of pure necessity over a
period of several years, so the concept has had it's deal of field testing. Let
me take the opportunity to apologize for not publishing this earlier. It was
about to be published when Windows 7 was introduced with it's own share of bugs
and features. A major rewrite was needed to make it run as smoothly as under XP,
with a little help from Hidden Start.
The
whole thing is now simple to use, the protected part had proven to be totally
protected, and self-healing works well in usual severities of infection. There are some compromises
to benefit
simplicity (password is stored in clear text), but unless this strategy becomes widely
accepted and malware becomes aware of it, we can sleep peacefully.
The speed penalty is of no concern for flash drives as decrypring speed is greater than
the raw reading speed of majority of drives. Writing often turns out to be
much faster, as Windows handles one large file much better than many
smaller ones, and this is exactly how TrueCrypt functions.
The only significant drawback is inability to mount the volumes on a computer
without administrative privileges unless the TrueCrypt is already present.

Comments

tamrat says...

it looks like a good tutorial, i dont know why it didnt get many hits. problem is this guide protects the file you want to protect, not the whole flash drive. i thought just setting the autorun.inf\\\'s settings to Read Only would fix the problem of malawares messing with it. still good tut, now i can protect my .exe files since they are the ones infected easily.